The Advanced Configuration tab of the Scan Configuration dialog box is used to change advanced registry settings that affect specific scans (Scan Configuration > Advanced Configuration tab), and it should only be used by experienced AppScan® users, or when instructed to do so by the support team to troubleshoot a problem.

Multi-Step Operations view

Multi-Step Operations view of the Configuration dialog
box is for testing parts of the site that can only be reached by clicking
links in a specific order.

A multi-step operation is needed to explore parts of the site that can
only be reached by clicking links in a specific order, such as an online shop where the user
adds items to a cart before paying for them. Consider the following three pages:

User adds one or more items to a shopping cart

User fills in payment and shipping details

User receives confirmation that the order is complete

Page 2 can be reached only via Page 1. Page 3 can be reached only via Page 1 followed by Page
2. This is a sequence. In order to be able to test Pages 2 and 3, AppScan® must send the correct sequence of HTTP requests before each
test.

In the case of the above example you would record a single sequence: Page 1 > Page 2 > Page 3.
AppScan would extract the necessary sub-sequences from
this sequence, as required. (When testing Page 2 it would send a Page 1 request first; when testing
Page 3, it would send Page 1 followed by Page 2.)

Note: It is suggested that the number of multi-step operations be limited to five, with no more than
25 steps in any single operation, and no more than 70 steps altogether.

Note: Configuring multi-step operations should not be confused with manual exploring, and should
only be used in cases like the one described above. For more details see Manual Explore using AppScan

Table 1. Multi-Step Operations view options

Setting

Details

Record

Click to record a new sequence. If login details have been configured, you can click the down
arrow to select:

AppScan IE browser > Log in and then record

AppScan will log in to the application automatically
(using the login you recorded) before the browser opens. You can then record your multi-step
operation without recording the login requests. This method has the advantage that the login
requests will not be replayed every time this sequence is played, but only if AppScan is out-of-session.

Note: Parameters and cookies that are
present in the Multi-Step sequence but not in the Login sequence, are always tracked as
Dynamic, even if you change their tracking to Login Value.

AppScan IE browser > Record without login

AppScan will begin recording the sequence without
logging in. When the browser opens you record your multi-step sequence directly. If you need to log
in, the login will be part of the recording and will therefore be replayed every time the sequence
is played, which can significantly increase scan time. Where login is required, the best practice is
to use the previous option.

Note: If you use this option and then record login requests as part of
the sequence, parameters and cookies received are always tracked as Dynamic, even if they are
Login requests, and even if you change their tracking to Login Value.

AppScan Chromium browser

AppScan will record using the built-in Chromium-based browser, without logging in. When
the browser opens you can log in, if needed, and then record your multi-step sequence.

Note: If you
use this option and then record login requests as part of the sequence, parameters and
cookies received will always be treated as Dynamic, even if they are Login requests, and even if you
change their tracking to Login Value.

Export a sequence (as an SEQ file) for use with a different scan; import a sequence (SEQ file)
exported from a different scan; delete the selected sequence from the current scan.

Playback Method

When you record a multi-step operation, AppScan
records both the actions and the requests. You can select which of them will be used for the
scan:

Request-based playback

Sends the raw HTTP requests from the recording. This method is usually faster.

Action-based playback

Replays the clicks and keystrokes of the user. Reasons for selecting this method could be that
the site includes a lot of JavaScript, or that some of the requests in the request-based playback
were marked with a red X when you attempted to validate them. This method can increase scan
time.

Request-based playback is the default method.

Note: If the scan is configured not to use a
browser other than the embedded browser (Tools > Options > Use external browser), request-based
playback is always used.

Note: If you load a sequence that was recorded in a version of
AppScan that did not support action-based playback, request-based playback is used for that
sequence, even if action-based playback is selected.

Note: If you select Action-based
playback for a multi-step operation, you must also select Action-based as the login method. If
necessary, record the Login sequence again (see Login Management view).

Sequence List

Lists all recorded Multi-Step Operations for this scan.

Sequence Name

The name of the sequence that is selected in the List of Sequences. The check box next to each
one indicates if the sequence is enabled for this scan.

Validate

Click this to check that the sequence is valid. AppScan replays the sequence, and any requests
that receive a response different to the original response are marked with a red X, indicating that
they will not be tested.

Tip: A common reason for requests receiving a different response
is the presence of a dynamic sequence variable that needs to be defined, see Sequence variables. If this is not the problem, and the site contains JavaScript,
changing to action-based playback may give better results.

Recorded URLs

Shows the links or actions in the selected sequence.

Validated

A green check mark indicates that the URL has been validated. A red X appears next to URLs that
were not validated.

Test

Indicates whether this URL will be tested on its own (as well as in the Multi-Step Operation).
Options are Yes/No. To change the setting right-click on the URL and select Test / Don't
Test. Even if you select No the URL will still be playes as part of the Multi-Step
Operation.

Play Sequence

(Applies to tested URLs only) Indicates whether the previous steps in the sequence will be
replayed each time this URL is tested. Options are Yes/No. To change the setting right-click
and select Play sequence before testing request > Yes/No.

View any link in the sequence by selecting it and then clicking the browser button (you can
delete individual requests by clicking the trash icon in the upper right of the dialog that
opens)

Delete any link in the sequence by selecting it and clicking . After doing this click Validate to check that the updated sequence stays
in-session.

Log in before sequence replay

If selected, each time a Multi-Step Operation is played, AppScan will log in first. This option
is cleared if you record the login as part of the multi-step operation.

Allow play optimization

(Request-based playback only) When selected (default) AppScan attempts to optimize scan time by avoiding unnecessary playback. You should not
disable this setting unless you find that AppScan is
missing parts of the application due to play optimization. The Scan Log can
help in determining this.

Test in Single-Thread mode

AppScan may send two or more requests simultaneously,
if they don't require the replaying of a sequence between them. If this results in parts of the
application being missed, select this check box.

Sequence Variables

Lists variables that were received while recording the sequence(s), and indicates those that AppScan has determined should be tracked. These may be session
IDs or other variables. You can change the status of variables in this list to improve how AppScan deals with them (for details see Sequence variables).